Start Free Trial
Platform Intelligence Layer

Context governance
for autonomous AI agents

Your agents are accessing data your compliance team has never seen

AutoPIL enforces access policy at retrieval time — before sensitive data enters your agent's context window. Every decision is logged, auditable, and observable.

Start Free Trial Read the docs
Agent
@guard.protect()
Policy Engine
ALLOW
/
DENY
Audit log  ·  Real-time alerting  ·  OpenTelemetry
Capabilities

Everything your compliance team
needs to say yes to agentic AI

Built for regulated industries — where a data access violation is a compliance incident, not just a bug.

🔒
Policy engine
YAML-based policies with source allowlists, denylists, and sensitivity ceilings. Deny by default. Hot-reload without service restarts. Full CRUD via REST API with version history.
policies/
📋
Immutable audit log
Every retrieval attempt is logged — decision, policy matched, reason, context hash, and timestamp. Append-only. No delete API. Every event is cryptographically chained to the one before it. SQLite for dev, Postgres for production.
audit_events
⛓️
Tamper-evident hash chain SOC 2
Every audit event is SHA-256 linked to the one before it. Any modification to any past record breaks the chain. One API call verifies the entire log — and tells you exactly which event was altered.
GET /v1/audit/verify
🔔
Real-time alerting
Threshold rules on denial spikes, new data source access, cross-agent isolation violations, and high deny rates. Webhook and email delivery with per-rule cooldowns.
AlertEngine
📡
OpenTelemetry
Spans and metrics emitted from every policy evaluation. Routes to Datadog, Grafana, and Splunk via OTEL_EXPORTER_OTLP_ENDPOINT. Zero overhead when not configured.
autopil.evaluate
🏢
Multi-tenancy
Row-level tenant isolation across all tables. Each tenant's audit events, policies, and alert rules are fully separated. Superadmin provisioning via REST API.
tenant_id
🔗
Cross-agent isolation
A session belongs to the first agent that accessed it. Any other agent attempting the same session is automatically denied and logged — no configuration needed.
cross_agent_isolation
Async-native
protect_async uses Python ContextVar for concurrent-safe tracking across async agents. Fully compatible with asyncio, FastAPI, and aioboto3.
protect_async
🌐
ASGI middleware
HTTP-layer enforcement for FastAPI and Starlette apps. RouteRule maps URL patterns to policies. Shadow mode for zero-disruption rollout. Buffers and replays the request body.
AutoPILMiddleware
📊
Live dashboard
Real-time charts, full-text search, isolation violation banner, trend arrows on denial rates, and a channel distribution donut across all 10 integration channels.
by_source_type
📈
PIL Score
A 0–100 governance health index computed from your last 30 days of enforcement activity. Four bands: Governed, Monitored, At Risk, Critical. Five components break down exactly where your posture is strong and where it needs work — visible in the dashboard and queryable via API for board reporting.
GET /v1/audit/pil-score
View all capabilities →
How it works

Ten ways to integrate.
One governance layer.

Adopt AutoPIL with a decorator, MCP tool call, REST request, ASGI middleware, or native wrappers for LangChain, LlamaIndex, Gemini, OpenAI Agents, and AWS Bedrock. Every path runs the same policy engine, writes to the same audit log, and fires the same alert rules.

1
Session isolation
Every agent operates within a time-bounded, role-specific session. Access rights are tied to the session — when it expires or is revoked, the data access it granted ends immediately. No agent can inherit or share another agent's session.
2
Policy evaluation
Every request is checked against the agent's assigned policy before any data is returned. What sources an agent can reach, how sensitive the data can be, and whether that ceiling narrows as the session ages — all enforced at the retrieval layer, before sensitive data ever enters the agent's context.
3
Audit event recorded
Every decision — allow or deny — is written with the policy name, reason, context hash, and timestamp. Append-only. No delete API.
4
Alert rules evaluated
Threshold rules fire webhook or email notifications on denial spikes, new source access, and isolation violations.
system prompt — pre-check pattern 
# Add to your agent's system prompt:
Before accessing any data source, call evaluate_context:
  agent_role: loan_underwriter
  user_id: <current user>
  source_id: <data source you want>
  sensitivity_level: high
  session_id: <conversation id>

Only proceed if decision is ALLOW.
After retrieval, call record_action with the event_id.
evaluate_context → ALLOW response 
✅ ALLOW — loan_underwriter may access 'credit_scores'.
Policy: loan_underwriter_policy
Event ID: evt_abc123
# pass event_id to record_action to complete the lineage chain
evaluate_context → DENY response 
🚫 DENY — loan_underwriter cannot access 'executive_communications'.
Reason: source is on denylist for this role
Policy: loan_underwriter_policy
Do not proceed. Inform the user access is not permitted.
Start the server: autopil-mcp --policy policies/ — then add it to your Claude Desktop or agent config. No code changes in the agent required.
See all 10 integration channels →
The gap that existing tools miss

Data catalogs govern upstream.
Output filters govern downstream.
Nothing governs context.

Autonomous agents across regulated industries pull data at runtime — from vector stores, databases, and APIs. What enters the context window is unprotected by your existing governance stack.

Data boundary violation
Sensitive data enters a context window it was never meant to reach
No enforcement between the agent and the data source. The query succeeds. The violation is invisible. You find out during a regulatory exam.
Cross-agent contamination
One agent's context bleeds into another's
Agents in the same pipeline share session boundaries. Without context isolation enforcement, what one agent sees becomes another agent's input.
Compliance blind spot
No record of what entered any agent's context
When auditors ask what data your AI used to make a decision, there is nothing to show. Every context window is invisible to your compliance team.
Silent policy violations
Context access anomalies go undetected
Anomalies that would trigger immediate review in a human-operated system pass through an agentic pipeline without ever surfacing an alert.
Pre-built policy coverage

135 policies across
12 industries

Ship governance-ready on day one. Each industry pack defines agent roles, allowed sources, denied sources, and sensitivity ceilings — ready to load and customize.

🏦 Financial Services 25 🏥 Healthcare 17 📡 Telecom 9 🚛 Logistics 9 🛡️ Insurance 10 🛒 Retail 10 ⚡ Energy 10 🏭 Manufacturing 10 🏠 Real Estate 10 💊 Pharmacy 10 🏛️ Public Sector 10 💻 Technology 5
135
Pre-built policies, ready to use
Load any industry pack with policy_path="policies/" — all files are loaded automatically. Customize or extend any policy via the REST API without redeploying.
View all industries →
For CDAOs and Data Governance leaders

Governance that keeps
pace with agentic AI

"Most enterprise data governance frameworks were designed for humans querying data. Autonomous agents operate at a fundamentally different speed and scale — and the governance tools have to catch up."

  • Role-based access enforcement at the retrieval layer — not just at the application layer
  • Immutable audit trail with SHA-256 hash chaining — cryptographic proof the log was never altered, verifiable on demand via a single API call
  • Real-time alerts when an agent touches data it shouldn't — before the next retrieval happens
  • Policy version history for every change — who changed what, and when
  • Hot-reload policies without restarting agents or disrupting production pipelines
  • PIL Score — a 0–100 governance health index updated daily from your audit activity. Governed, Monitored, At Risk, or Critical. The answer your board is asking for.
Financial Services Healthcare Telecom Logistics Insurance Retail Energy Manufacturing Real Estate Pharmacy Public Sector SOX SOC 2 GDPR HIPAA CPNI FISMA
See the full governance picture →
Query the audit log 
# What did the loan_underwriter agent access today?
curl "https://api.autopil.ai/v1/audit/events\
  ?agent_role=loan_underwriter\
  &decision=ALLOW\
  &limit=50" \
  -H "X-API-Key: apl_yourkey"

# Response
[
  {
    "event_id": "evt_abc123",
    "agent_role": "loan_underwriter",
    "source_id": "credit_scores",
    "decision": "ALLOW",
    "policy_name": "loan_underwriter_policy",
    "timestamp": "2026-03-26T14:22:01Z"
  },
  ...
]
Set an alert rule 
# Alert if deny rate exceeds 20% in any 10-minute window
curl -X POST "https://api.autopil.ai/v1/alerts/rules" \
  -H "X-API-Key: apl_yourkey" \
  -d '{
    "rule_type": "high_deny_rate",
    "threshold": 0.20,
    "window_minutes": 10,
    "notify_url": "https://hooks.slack.com/..."
  }'
Documentation

Docs, architecture, and SDK —
built to be transparent

Every enforcement decision, storage layer, and SDK method is fully documented. Start with the architecture overview or go straight to the guide that matches your role.

Request enforcement path
Agent loan_underwriter your retrieval code @guard.protect() policy · session · hash OTEL span emitted one decorator Session Check expired · revoked cross-agent isolation lifecycle enforcement Policy Engine source · task · sensitivity deny-by-default YAML or REST API ALLOW DENY Audit Log append-only · no delete SQLite · Postgres every decision logged
Storage layer — 7 stores, row-level tenant isolation
📋
audit_log
Every allow & deny event
🔑
key_store
API key management
🏢
tenant_store
Multi-tenant provisioning
🔒
policy_store
Policies + version history
🔔
alert_store
Rules + fired deliveries
🔗
lineage_store
Agent action provenance
session_store
Session lifecycle & TTLs
🏛
Architecture
Full system design — enforcement flow, storage layer, multi-tenancy, and OTEL integration.
📜
Policy Guide
YAML format, evaluation order, sensitivity levels, task scoping, and hot-reload.
🔍
Audit Log Guide
What gets logged, special policy names, bulk export, action lineage, and alerting.
🐍
Python SDK
ContextGuard, PolicyEngine, create_stores(), all store ABCs, and decorator reference.
🟦
TypeScript SDK
AutoPilClient, all resources (context, sessions, audit, lineage, policies, alerts), and types.
🐹
Go SDK
stdlib-only client — no external dependencies. Context, audit, sessions, and policies. Go 1.21+.
Java SDK
Jackson-only client with builder-pattern request models. Java 17+. Tested with JUnit 5.

Bring governance to
your agent stack

Govern the context. Trust the agent.™

Whether you're evaluating AutoPIL for a production deployment or exploring what retrieval-layer governance looks like for your organization — reach out.

Start Free Trial